saltstack进阶
1. masterless
应用场景
- master 与 minion 网络不通或通信有延迟,即网络不稳定
- 想在 minion 端直接执行状态
传统的 SaltStack 是需要通过 master 来执行状态控制 minion 从而实现状态的管理,但是当网络不稳定的时候,当想在minion本地执行状态的时候,当在只有一台主机的时候,想执行状态该怎么办呢?这就需要用到 masterless
有了masterless,即使你只有一台主机,也能玩saltstack,而不需要你有N台主机架构。
masterless配置
环境:
| 系统ip | 角色 | 应用 |
|---|---|---|
| centos:192.168.136.141 | minion | salt-minion |
修改/etc/salt/minion文件
- 注释master行
- 取消注释file_client并设其值为local
- 设置file_roots
- 设置pillar_roots
[root@minion ~]# vim /etc/salt/minion
......
......
# resolved, then the minion will fail to start.
# master: salt
# master: 192.168.136.130 //注释此行
......
......
file_client: local //取消此行注释并将值设为local
......
......
file_roots: //设置file_roots的路径和环境,需要什么环境就配置什么环境
base:
- /srv/salt/base
关闭salt-minion服务
[root@node01 ~]# systemctl stop salt-minion.service
[root@node01 ~]# systemctl disable --now salt-minion.service
[root@node01 ~]# systemctl status salt-minion.service
● salt-minion.service - The Salt Minion
Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:salt-minion(1)
file:///usr/share/doc/salt/html/contents.html
https://docs.saltproject.io/en/latest/contents.html
使用salt-call命令
masterless模式执行模块或状态文件时需要使用salt-call命令,而不是像之前使用salt 或者salt-ssh命令。需要注意的是要使用salt-call的–local选项。
[root@node01 ~]# salt-call --local cmd.run date
local:
Mon Nov 29 18:13:44 CST 2021
[root@node01 ~]# salt-call --local cmd.run ls /root
local:
anaconda-ks.cfg
2. salt-master 高可用
实验环境:均为centos8
| IP | 角色 | 服务 |
|---|---|---|
| 192.168.136.130 | master(主) | salt-master salt-minion |
| 192.168.136.140 | master(备) | salt-master salt-minion |
| 192.168.136.141 | minion | salt-minion |
数据同步
涉及到高可用时,数据的同步是个永恒的话题,我们必须保证高可用的2个master间使用的数据是一致的,包括:
-
/etc/salt/master配置文件
-
/etc/salt/pki目录下的所有key
-
/srv/下的salt和pillar目录下的所有文件
salt-master高可用配置
我们需要用salt来管理公司的所有机器,那么salt的master就不能宕机,否则就会整个瘫痪,所以我们必须要对salt进行高可用。salt的高可用配置非常简单,只需要改一下minion配置文件,将master用列表的形式列出即可。
配置:
//下载salt-minion
[root@node01 ~]# ll /etc/yum.repos.d/
-rw-r--r--. 1 root root 292 11月 30 10:27 salt.repo
[root@node01 ~]# yum -y install salt-minion
//修改配置文件
[root@node01 ~]# vim /etc/salt/minion
......
master: 192.168.136.130
......
[root@node01 ~]# systemctl restart salt-minion.service #修改了配置文件要重启
[root@node01 ~]# tree /etc/salt/pki/ #没有tree,用yum 下载即可
/etc/salt/pki/
├── master
└── minion
├── minion.pem #此时已经生成了私钥和公钥,然后去master上接受公钥
└── minion.pub
2 directories, 2 files
//master上接受node01的公钥
[root@master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
master
node01 #已经发现node01的公钥了,接受即可控制node01
Rejected Keys:
[root@master ~]# salt-key -ya node01
The following keys are going to be accepted:
Unaccepted Keys:
node01
Key for minion node01 accepted.
[root@master ~]# salt-key -L
Accepted Keys:
node01
Denied Keys:
Unaccepted Keys:
master
Rejected Keys:
[root@master ~]# salt 'node01' test.ping
node01:
True
[root@master ~]# salt 'node01' cmd.run date
node01:
Mon Nov 30 10:40:33 CST 2021
在备master配置
[root@redun yum.repos.d]# yum -y install salt-master
......
......
[root@redun yum.repos.d]# tree /etc/salt/pki/ //此时的这两个文件都是空的
/etc/salt/pki/
├── master
└── minion
2 directories, 0 files
//copy主master上key到备节点,注意这里只拷贝master的key,不拷贝minion的key
[root@master master]# scp master.pem master.pub 192.168.136.140:/etc/salt/pki/master/
The authenticity of host '192.168.136.140 (192.168.136.140)' can't be established.
ECDSA key fingerprint is SHA256:wBk15Son1lWkklBlIeDP73ZdN8JvfI/rjtt3NQLOx44.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.136.140' (ECDSA) to the list of known hosts.
root@192.168.136.140's password:
master.pem 100% 1675 1.5MB/s 00:00
master.pub 100% 451 422.0KB/s 00:00
//回到备机上查看发现已经收到了主节点的key文件
[root@redun yum.repos.d]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
│ ├── master.pem
│ └── master.pub
└── minion
2 directories, 2 files
//启动服务
[root@redun salt]# systemctl start salt-master.service
[root@redun salt]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:4505 0.0.0.0:*
LISTEN 0 128 0.0.0.0:4506 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
# 随后发现启动了生成了一些目录
[root@redun salt]# tree /etc/salt/pki/
/etc/salt/pki/
├── master
│ ├── master.pem
│ ├── master.pub
│ ├── minions
│ ├── minions_autosign
│ ├── minions_denied
│ ├── minions_pre
│ └── minions_rejected
└── minion
7 directories, 2 files
minion端连接备节点
[root@node01 ~]# vim /etc/salt/minion
......
master: 192.168.136.140
......
# 重启服务
[root@node01 ~]# systemctl restart salt-minion.service
//到备节点上接受来自minion的key
[root@redun salt]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
node01
Rejected Keys:
[root@redun salt]# salt-key -y node01
Accepted Keys:
Denied Keys:
Unaccepted Keys:
node01
Rejected Keys:
[root@redun salt]# salt-key -ya node01
The following keys are going to be accepted:
Unaccepted Keys:
node01
Key for minion node01 accepted.
[root@redun salt]# salt-key -L
Accepted Keys:
node01
Denied Keys:
Unaccepted Keys:
Rejected Keys:
[root@redun salt]# salt 'node01' test.ping
node01:
True
配置minion端
[root@node01 ~]# vim /etc/salt/minion
......
master:
- 192.168.136.130
- 192.168.136.140
......
master_type: failover #故障转移,主备切换
......
master_alive_interval: 3 #3秒内主节点没有反应就切换到备节点
# 改了配置文件所以要重启
[root@node01 ~]# systemctl restart salt-minion.service
//此时再去主从上ping node01会发现只有主才能通,备节点是ping不通node01的
[root@master master]# salt 'node01' test.ping #主节点
node01:
True
[root@redun salt]# salt 'node01' test.ping #备节点,虽然提示正则执行,但是是不可能ping通的
node01:
Minion did not return. [No response]
The minions may not have all finished running and any remaining minions will return upon completion. To look up the return data for this job later, run the following command:
salt-run jobs.lookup_jid 20211129111547413628
ERROR: Minions returned with non-zero exit code
//模拟主节点挂了,看备节点是否结果服务,能不能ping通node01
[root@master master]# systemctl stop salt-master.service
# 主节点已经关闭,模拟故障宕机了
[root@redun salt]# salt 'node01' test.ping #备节点可以ping通,说明主备切换完成
node01:
True
//这个时候去node01查看状态,提示主节点已经切换到备机上
[root@node01 ~]# systemctl status salt-minion.service
● salt-minion.service - The Salt Minion
Loaded: loaded (/usr/lib/systemd/system/salt-minion.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2021-11-29 19:12:25 CST; 7min ago
Docs: man:salt-minion(1)
file:///usr/share/doc/salt/html/contents.html
https://docs.saltproject.io/en/latest/contents.html
Main PID: 129021 (salt-minion)
Tasks: 6 (limit: 16538)
Memory: 93.8M
CGroup: /system.slice/salt-minion.service
├─129021 /usr/bin/python3.6 /usr/bin/salt-minion
├─129048 /usr/bin/python3.6 /usr/bin/salt-minion
└─129050 /usr/bin/python3.6 /usr/bin/salt-minion
3. salt-syndic分布式架构
架构图
salt-syndic的特性
- 可以通过syndic实现更复杂的salt架构
- 减轻master的负担
- syndic的/srv目录下的salt和pillar目录内容要与最顶层的master下的一致,所以要进行数据同步,同步方案同salt-master高可用
- 最顶层的master不知道自己有几个syndic,它只知道自己有多少个minion,并不知道这些minion是由哪些syndic来管理的
部署
环境:
| ip | 角色 | 服务 |
|---|---|---|
| 192.168.136.130 | master | salt-master |
| 192.168.136.140 | syndic | salt-master salt-syndic |
| 192.168.136.141 | minion(node01) | salt-minion |
| 192.168.136.142 | minion(node02) | salt-minion |
1、安装相应的软件
在syndic主机上安装salt-master和salt-syndic,前提是有salt.repo源仓库
[root@master ~]# yum -y install salt-master
[root@syndic ~]# yum -y install salt-master salt-syndic
[root@node01 ~]# yum -y install salt-minion
[root@node02 ~]# yum -y install salt-minion
2. 配置master
修改master的master的配置文件 #这里的master是角色master这台主机
- 取消注释order_master
- 将order_master的值设为True
[root@master ~]# vim /etc/salt/master
.....
# masters' syndic interfaces.
order_masters: True
.....
[root@master ~]# systemctl restart salt-master.service
3、配置syndic
修改syndic所在主机的master配置文件
- 取消注释syndic_master
- 将syndic_master的值设为master的IP //这里的IP指的是角色为master的主机IP
root@syndic ~]# vim /etc/salt/master
.....
syndic_master: 192.168.136.130
.....
[root@syndic ~]# systemctl enable --now salt-master.service
Created symlink /etc/systemd/system/multi-user.target.wants/salt-master.service → /usr/lib/systemd/system/salt-master.service.
[root@syndic ~]# systemctl enable --now salt-syndic.service
Created symlink /etc/systemd/system/multi-user.target.wants/salt-syndic.service → /usr/lib/systemd/system/salt-syndic.service.
[root@syndic ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:4505 0.0.0.0:*
LISTEN 0 128 0.0.0.0:4506 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
4、配置minion
配置所有的minion,将master指向syndic所在的主机
在所有minion上做同样的操作,注意,要设置minion配置文件中的id参数,指向minion自身的ip地址或主机名,必须能够唯一标识minion本机。如果本机的主机名不是localhost那么ID默认是修改过后的主机名,如果本机的主机名是localhost那么ID就是本机的IP
[root@node01 ~]# vim /etc/salt/minion
......
master: 192.168.136.140 //这里的IP地址填写角色为syndic的那台主机IP
......
## 如果所有的minion配置一样,可以本机的minion配置文件发送到所有的minion进行覆盖。
[root@node01 ~]# scp /etc/salt/minion 192.168.136.142:/etc/salt/minion
The authenticity of host '192.168.136.142 (192.168.136.142)' can't be established. //因为没有配置免密登录所有要输入密码
ECDSA key fingerprint is SHA256:AdZYklxobnUxDi4dBcsR4NlkIf2e0TDMeP3E4eQH4R8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.136.142' (ECDSA) to the list of known hosts.
root@192.168.136.142's password:
minion 100% 38KB 29.8MB/s 00:00
//重启所有的minion端
[root@node01 ~]# systemctl restart salt-minion.service
[root@node02 salt]# systemctl restart salt-minion.service
5.在syndic上接受minion端的主机key
[root@syndic ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
node01
node02
Rejected Keys:
[root@syndic ~]# salt-key -ya node01
The following keys are going to be accepted:
Unaccepted Keys:
node01
Key for minion node01 accepted.
[root@syndic ~]# salt-key -ya node02
The following keys are going to be accepted:
Unaccepted Keys:
node02
Key for minion node02 accepted.
[root@syndic ~]# salt-key -L
Accepted Keys:
node01
node02
Denied Keys:
Unaccepted Keys:
Rejected Keys:
**6、在master上接受syndic主机的key **
[root@master ~]# salt-key -L
Accepted Keys:
Denied Keys:
Unaccepted Keys:
master
syndic
Rejected Keys:
[root@master ~]# salt-key -ya syndic
The following keys are going to be accepted:
Unaccepted Keys:
syndic
Key for minion syndic accepted.
[root@master ~]# salt-key -L
Accepted Keys:
syndic //添加成功
Denied Keys:
Unaccepted Keys:
master
Rejected Keys:
7、同步master和syndic的/srv下的状态文件
/同步状态文件
[root@master ~]# scp -r /srv/* 192.168.164.141:/srv/
......
......
//修改syndic的master配置文件中files_roots、pillar_roots。改成和master主机一样的路径
[root@master ~]# vim /etc/salt/master #master主机上配置
......
file_roots:
base:
- /srv/salt/base
test:
- /srv/salt/test
dev:
- /srv/salt/dev
prod:
- /srv/salt/prod
......
pillar_roots:
base:
- /srv/pillar/base
prod:
- /srv/pillar/prod
......
[root@syndic ~]# vim /etc/salt/master //syndic主机的master配置文件
......
file_roots:
base:
- /srv/salt/base
test:
- /srv/salt/test
dev:
- /srv/salt/dev
prod:
- /srv/salt/prod
......
pillar_roots:
base:
- /srv/pillar/base
prod:
- /srv/pillar/prod
[root@syndic web]# systemctl restart salt-master.service
[root@syndic web]# systemctl restart salt-syndic.service
测试
//ping测试连通性,反馈信息没有syndic是正常的,因为master只知道有哪些minion端,并不知道syndic
[root@master ~]# salt '*' test.ping
node02:
True
node01:
True
[root@master ~]# salt '*' cmd.run date
node02:
Mon Nov 30 11:47:54 CST 2021
node01:
Mon Nov 30 11:47:55 CST 2021
//执行状态文件
[root@master web]# salt '*' state.sls web.httpd
......
......
------------
Succeeded: 2 (changed=2)
Failed: 0
------------
Total states run: 2
Total run time: 29.589 s
[root@master web]# cat httpd.sls
install-httpd:
pkg.installed:
- name: httpd
service-httpd:
service.running:
- name: httpd
- enable: true
//查看服务是否运行
[root@node01 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22
[root@node02 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22
扫一扫
196
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
